Smart or illegal marketing?

Excerpt from Bruno DUMAY's book: GDPR DECRYPTION – For Managers, Strategic Departments and employees of companies and organizations – Preface by Gaëlle MONTEILLER

Let's be clear: for the past fifteen years, good marketing has largely been based on the intelligent use of personal data. Raise your hand if you've never passed on product information to a targeted individual without asking. Come on? No hand raised, I figured. Let's throw the first stone if you've never kept a name, phone number, or email address without notifying the person concerned. Okay, no stones. Let's throw the first stone if you've... I think you get the idea.

Of course, some have gone much further, attracting, recovering, then diverting or transferring profiles, interesting because they are consumers, of innocent people who had the weakness to open a site, to follow a link, or to express themselves by registering, joining, making a comment… And who, it goes without saying, rushed to accept the general conditions of sale; read them? You don't think so. Responsibility is therefore shared.

Lately, it must be admitted, the traps have multiplied. Certainly, consumer frenzy, addiction to networks, the need for recognition – "I exist, I click!" – have not been for nothing in the creation of giant databases, hundreds of millions of individuals giving themselves up without hesitation to anyone who wants to harass them.

So why deprive ourselves? It was beautiful, the new economy, horizontality, Uberization, artificial intelligence. Data, what a hobby! And we all went for it, all the way! The crisis? My eye. Not for everyone, and not for everything. Never have small men manufactured, sold, and bought so much. To avoid going under, we sell. Even if it means collapsing. Every name, and every piece of information associated with that name, was worth keeping, testing, profiling. Everyone needs something, one day. You just have to create it, this need, sorry to reveal it. Satisfy it? Yes, but not too much anyway. So that the machine keeps turning.

We knew. We accepted it. Yes, but there you go. We went too far. Are we adults? No, adults don't exist. Only children grow up. So, like kids, we always wanted more and we went too far. Or we almost went too far. Before it was too late, the authorities took action. The CNIL hadn't let us go, but, benevolent and confined to its own territory, it was overwhelmed. So Europe intervened. Several times. First in 1995, and then in 2016, with effect today.

What is this effect? Illegality. What was once smart marketing is now illegal marketing. From now on, if you use your customer or user files as before, you are acting illegally. And yes. But?… No. How?… Because.

It's about understanding what personal data is and how it should be treated. The stakes are high, the risks high. Fines in the millions of euros, personal liability, justice, court, do those ring a bell? We're not joking anymore. Mark, Larry, Serguei, Jeff, can you hear me? Don't laugh, you too. Even if digital giants are the main targets of GDPR, all organizations are affected, regardless of their size. Large companies, startups, plumbers, Triffouillis town hall, and associations such and such: you can no longer use your files as you see fit.

Of course, there were already some rules and some sanctions. Really? Yes. So, in January 2018, before the regulation came into force, Darty was sanctioned by the CNIL for not having sufficiently secured its customers' data. The disputed use actually came from a subcontractor, but it was the company that was fined. A €100,000 fine. So it's not nothing, but it's a peccadillo compared to what can happen to you from now on, if you too are not vigilant enough.

We're dreaming. No, not at all. European law stipulates that data belongs to citizens, and that no organization can appropriate it to use it as it sees fit. Ah... Companies must clearly and precisely indicate how they collect, process, and store personal data. It's a question of loyalty, transparency, specific, legitimate, adequate, and limited purposes... Huh? These words would have made us laugh before. But times have changed. European authorities are reacting, and we can understand why.

You must conduct an impact assessment before processing your data, adhere to a code of conduct that will govern practices in your sector, and appoint a data protection officer who will report any incidents to the supervisory authority, the CNIL in France. Various penalties are provided for non-compliance with these regulations, ranging from a warning to a fine of €20 million or €4 billion of the company's global turnover. Um... Oh dear.

It's heavy. Even brutal. But it's for our own good. Still... Okay, okay. It's true that something had to be done. That we, companies, tended to strip us, individuals. The former take from the latter a name, then an address, then a taste, then a habit, then a profile, and then, without us realizing it, they take away their free will. Freedom. Most companies don't mean any harm. Just marketing. But in the end... Enough is enough.

With Web 2.0, we realized that wealth lay in data, leading to the all-powerful nature of big data today. This power is such that some wonder if the notion of a boundary between public and private life still has any meaning. Isn't it too late? wonder others. The initiators of the GDPR don't think so, or at least they don't say so. For them, we can and must intervene so that we are not dispossessed or vampirized by data centers and those who own them.

This swing of the pendulum is in the air. A study by Pégasystems conducted among 7,000 consumers in spring 2017 in seven European Union countries shows that 82% of citizens have decided to assert their rights under the GDPR. And the French, along with the Spanish and Italians, seem the most sensitive about their personal data. Thus, 96% of French respondents want to know what information about them is held by companies. Given the growing concern among citizens to have their rights recognized, these figures are not to be taken lightly.

Building trust, combining protection and free movement

The GDPR is therefore not a text that can be quickly forgotten after its implementation date. It is intended to put a stop to the theft of information that should remain confidential and to the intrusion into private lives. The protection of individuals is therefore the primary objective of the GDPR.

From the beginning of the recitals (no fewer than 173), the tone is set: "The protection of individuals with regard to the processing of personal data is a fundamental right" (1^er considering). And even "The processing of personal data should be designed to serve humanity" (4^e considering).

If the need for protection is felt, it is because the members of the European Parliament and the Council, representative emanations of the EU citizens, considered that companies, and in some cases perhaps administrations, had gone too far in the exploitation of personal data. Indeed, the GDPR is part of a socio-economic evolution, recalled in the 6^e whereas: "Rapid technological developments and globalization have created new challenges for the protection of personal data. The scale of collection and sharing of personal data has increased significantly. Technologies allow both private companies and public authorities to use personal data in their business activities as never before. Individuals increasingly make information about themselves publicly and globally accessible. Technologies have transformed both economic and social relations, and should further facilitate the free flow of personal data within the Union and their transfer to third countries and international organizations, while ensuring a high level of protection of personal data."

It is clear that the EU is not blaming one party more than the other, but is showing the shared responsibilities of businesses, public authorities, technology and individuals themselves.

Europe is not exempt either, since the 9th^e whereas it states: "While it remains satisfactory in terms of its objectives and principles, Directive 95/46/EC (the first European reference text on the subject) has not prevented fragmentation in the implementation of data protection in the Union, legal uncertainty or the widespread public feeling that significant risks to the protection of individuals remain, particularly in the online environment."

The main problem identified is the difference in levels of protection between countries. Therefore, unity, for all companies throughout the EU, and even for their subcontractors outside the EU, appears to be a sine qua non condition for an effective policy in this area. "In order to ensure a consistent and high level of protection of natural persons and to remove obstacles to the flow of personal data within the Union, the level of protection of the rights and freedoms of natural persons with regard to the processing of such data should be equivalent in all Member States. It is therefore appropriate to ensure consistent and uniform application of the rules for the protection of the fundamental rights and freedoms of natural persons with regard to the processing of personal data throughout the Union" (10^e considering).

The text, although very restrictive as we shall see, nevertheless aims to have a positive economic objective: "These developments require a solid and more coherent data protection framework in the Union, accompanied by rigorous application of the rules, because it is important to generate the confidence that will allow the digital economy to develop throughout the internal market" (7^e considering).

"Trust." In our opinion, this is the most important word. If the GDPR aims to guarantee, restore, or "instill" citizens' trust in public and private stakeholders in the single European market, then we wholeheartedly support it. It is essential that people who shop online, use a service, consult offers, or express an opinion can carry out these actions without fear of being deprived of part of their privacy.

Without fear of being dispossessed, or even harassed, to use a buzzword since late 2017 that could apply to digital technology. How many times each day do we receive information we never requested, supposedly because we subscribed to something we were unaware of even existed? Today, we have to unsubscribe even though we were never subscribed. If the GDPR is applied correctly, this will no longer be necessary: sending a newsletter is now prohibited if the recipient has not expressly consented.

This newfound respect is a good thing. Economic exchanges are never as fruitful as when the different parties feel confident in each other.

These fluid exchanges are clearly encouraged: “In order to ensure a consistent level of protection of natural persons throughout the Union, and to avoid divergences hindering the free flow of personal data within the internal market, a regulation is necessary to provide legal certainty and transparency for economic operators, including micro, small and medium-sized enterprises, to provide natural persons in all Member States with the same level of enforceable rights and obligations and responsibilities for controllers and processors, and to ensure consistent supervision of the processing of personal data, and equivalent penalties in all Member States, as well as effective cooperation between supervisory authorities of different Member States. For the internal market to function properly, it is necessary that the free flow of personal data within the Union is neither restricted nor prohibited on grounds relating to the protection of natural persons with regard to the processing of personal data” (13)^e considering).

As we can see, data protection should not be a hindrance, but rather an asset "for the internal market to function properly." Article 1 of the GDPR incorporates this combination of the two objectives. Let us simply quote the first paragraph: "This Regulation lays down rules on the protection of natural persons with regard to the processing of personal data and rules on the free movement of such data." Protection and free movement, the two foundations of the European Union, could not have been stated more explicitly.  

The following recitals sometimes announce word for word the articles to come, except that they are most often written in the conditional, to show the wish, the intention, while the articles are in the indicative, meaning that they are legally binding.

The philosophy of the text having been established, let us now observe its principal provisions.